SANA_AIS

Sub-Project: SANA - An artificial immune System for Network Intrusion Detection

Overview

SANA – Security Analysis in Internet Traffic – is a project currently performed at the University of Luxembourg. The goal is to analyse network traffic and determine how intrusions – e.g. Viruses, Worms and Hackers – assault the network. Therefore, an artificial immune system is introduced. The human immune system is a nearly perfect system which protects the human body against pathogens.

There are several approaches for network protection using an artificial immune system. Unfortunately, they all have some disadvantages, e.g. the artificial cells do not work autonomous or the artificial cells do not move through the network. Therefore, the artificial immune system in SANA is designed in respect to two main features:

• The artificial cells work autonomous. In all situations, the artificial cell how to behave. Furthermore, there is not any central center which can be attacked.
• The artificial cells are lightweighted and fully mobile. Thus, it is hard to forecast the strategy of the artificial immune system by an attack. Furthermore, the computational power used by the artificial cells is shared over all network nodes.

Furthermore, the design of the artificial immune system is to provide a runtime environment for the artificial cells which perform the protection-tasks. Consequently, with new types of artificial cells, it is possible to introduce new tasks and it is possible to model nearly all immunological processes.

Implementation

The artificial immune system is implemented in Java. It bases on a network simulator which generates the network traffic. The adversarial of the network traffic injects packets containing attacks and the artificial immune system tries to identify these packets. Furthermore, it is also possible to simulate a network with a NIDS in order to compare the approaches.

Network Simulator

The network simulator is designed with the paradigm “keep it small and simple”. I implemented a simulator in Java using the Adversarial Queueing Theory introduced by Andrews et. al in 1996 and 2001. The network simulator uses for the queueing FIFO and for routing an algorithm which calculates the shortest path to the destination. Furthermore, the simulation provides an adversarial which injects packets over time in order to stress the network. The adversarial inject randomised packets which have a randomised source, destination and with a certain probability are the packets bad. The adversarial also adapts to the situation of the network for a well stressing of the network without overstressing.

Artificial Immune System

The artificial immune system provides in each node an artificial-cell-environment. This environment provides the functionality that the artificial cell can perform all required tasks: accessing system-files, checking of packets, moving of agents, communication/collaboration between agents, etc. This environment also shares the computational power over all artificial cells so that each artificial cell can perform its task. For all components of the artificial immune system exist interfaces so that different types of the components can be implemented easily.
Using this open environment, it is possible to model nearly all immunological processes. An immunological process consists of cells performing some tasks, local cell communication and movement of cells. The movement of cells is implemented so that the artificial cell is packed into one or more packets and then the node sends it to the destination node. The destination node unpacks the packets and starts it again. The local cell communication is realised using a Status Storage in each node. In this Status Storage, each artificial cell can insert messages and read the messages inside it.
The attack-management is also a system which can be easily enhanced. There is a packet-evaluator which evaluates if a packet contains an attack or not. With this packet evaluator, which cannot be accessed by the artificial cells, it is possible to evaluate the decision of the artificial cells. Using the Status Storage and the Packet Evaluators, it is possible to model complex attack- and defence-scenarios. E.g., the second signal – two cells must identify a packet as malicious – is implemented.

Artificial Cells

The artificial cells are the main component of the artificial immune system. These cells flow through the network and perform the protection-tasks. Therefore, a Java-Interface is added in order to handle all artificial cells and each new artificial cell is a new Java-Agent-Class which implements the interface. Using the artificial-cell-environment of the artificial immune system, it is possible to add new artificial cells which perform new tasks and, consequently, it is easily possible to enhance the system. Furthermore, an administrator can update and adapt the artificial immune system to new situations and new attacks using new artificial cells.
With these artificial Cells, it is posstible to create a massively distributed system like the immune system.

Currently there are several different artificial cells:

• Basic artificial cells which work like a packet-filter. Thus, these cells know some information how to identify an attack – e.g. if a packet contains a specific string – and check the packets in order to identify these attacks.
• ANIMA-ID, which checks packets in order to find intrusions in it. Thereafter, the packets are either disinfected or removed. This is a efficient enhancement of the first basic artificial cell.
• ANIMA-AD, a future artificial cell which evaluates if the network traffic contains abnormal traffic or not.
• AGNOSCO, which identifies infected nodes – e.g. a virus succeeded in attacking this node and is installed – in the network.
• An artificial Cell which knows how to disinfect a set of Attacks. Thus, if e.g. AGNOSCO identifes a Node as infected, it informs the artificial Lymph-Nodes and this activates this artificial Cells. It travels to the infected Node and disinfects it.

Additionally it is possible to add more artificial cells which perform different tasks for network protection. Some ideas of other artificial cells:

• Artificial cells which analyse the network traffic statistically and try to identify intrusions.
• If an attack succeeds and it installs itself on a node, some files and parameters on the node are changed, e.g. system-configuration-files. This can be observed by an artificial cell. Anymore, it is possible to identify the attack or to start a disinfection using this information.
• etc.

Artificial Cell Communcation

The artificial Immune System consists of lots of different components – e.g. different types of artificial Cells – which work autonomously. In order to increase the Network Security, these components should cooperate. For this, a communication is needed which should be efficient, distributed and secure. Therefore, SANA is enhanced by an artificial Cell Communication with different parts:

• Receptors:
  Receptors are used for the Identification of two Components. A receptor is a public-/private-key-pair and checking of the knowledge of the keys is supervised by SANA.

• Substances:
  Substances are used for the communication. Substances contain receptors which describe the Receivers and SANA guarantees that only valid receivers get the information.

• Artificial Lymph-Nodes:
  These Nodes supply the artificial Cells in a part of a Network. They are redundant installed and a set of artificial Lymph-Nodes supply a certain part of a network. They e.g. release required artificial Cells, immunize the network-part and care about the routing of substances.

• CNTS – Central Nativity and Training Station:
  CNTS are special nodes and supply the Lymph-Nodes. A CNTS mainly releases new artificial Cells so that the number of artificial Cells in the system is constant because artificial Cells die over time. A CNTS is motivated by the Bone Marrow of the Human Body. In contrast to the Human Body, SANA has several redundant CNTS.

The whole communication and each part are motivated by the cell communication in the human body. The cell communication is distributed and no central center is used.

Visualisation

In cooperation with Oltjon Sulanjaku (TFE-Student at the University of Luxembourg), we added a 3D-Visualisation of the SANA-Network. This visualisation uses Java, Java3D and WilmaScope in order to display the nodes and connections of the network. The colour and thickness of nodes and connections display different information and using a filter system it is possible to visualise only the important parts of the network.

Scenarios for Testing

In the implementation is an interface for scenarios which are used to test the artificial immune system. A scenario is a Java-Class which implements the interface and in this class all required parameters are set. The topology of the network, the behaviour of the adversarial (e.g. which attacks and how many packets are inserted) and the behaviour of the artificial immune system (e.g. which types of artificial cells, the behaviour of the cells or how many cells are in the network) is defined. Furthermore, there are some immunological processes implemented in the scenarios, e.g. the second signal or a first implementation of the cytokines for cell-communication. Using the Scenario-Interface, it is easy to define novel scenarios because it is nearly a construction-kit.
After defining the scenario, the simulator runs the scenario for a given number of time-steps and stores the collected results in a log-file. Thereafter, the user can interpret the results and analyse how to improve the artificial immune system.
Currently (26. June 2006), there are 16 different scenarios which simulate different networks, e.g. rings, back-bones and connected smaller rings, or which simulate more than one network which are connected by an back-bone. Some of these scenario use the artificial immune system of SANA for network protection and some a NIDS. One Scenario is a modelling of a realistiv Worm-Attack.

Results of Simulations

In the 14 scenarios, SANA performs well. It identifies about 60%-80% of the attacks and it cooperates with a NIDS without any problems. Furthermore, it performs better than centralised IDS (e.g. a NIDS like SNORT) in nearly all scenarios. An overview of 12 simulations is summarized in this pdf-file.

Performance of the SANA-Implementation

In this page, the Performance of the Implementation is discussed, especially the Performance with lots of Nodes and artificial Cells.

Applications

The application of the artificial immune system is not to replace existing NIDS. The artificial immune system SANA is an enhancement of current NIDS. SANA runs on each node, e.g. Router, Switches, Personal Computers (PC), Producing-Servers, etc. The NIDS check each packet which is routed over it. With the right placement of a NIDS, e.g. Internet-Gateway, E-Mail Server, etc, the NIDS identifies lots of attacks. Anymore, there exist situations when the NIDS cannot identify an attack, e.g. the packet is not routed over the NIDS (PC2PC communication) or the NIDS is overloaded. Especially the following scenario described how a NIDS cannot protect the whole network: a PC is infected by a Worm and the Worm starts to infect all other PCs; not until the Worm tries to attack the NIDS, the NIDS will not know that the Worm is in the network.

In these cases, SANA will protect the nodes because it protects each node and shares the computational power over all nodes. Consequently, SANA cooperates with NIDS.

Anymore, SANA replaces current Host-based Intrusion Detection Systems (HIDS) because HIDS are too static and adapts too slowly to the current situation in the network. Furthermore, SANA can run with low computational power on network equipment (Router, Switches, et.), which increases the cost of the network equipment just a little.

Next Steps

• Use the artificial Cells and the artificial Cell Communication in order to build up a self-management of SANA. The goal is to increase the Network Security and to receive a Guarantee of a certain Securtiy.
• Add more realistic Scenarios and model different Attack-Types.
• Currently, it is necessary to edit source code in order to define a new scenario. For the future, it would be nice to have a construction-kit for scenario-definition.

Student Projects

There are Student Projects (SPP-, TFE-, BAC-, DIP-, MAS-, PRC-Level) in the scope of SANA available. More information can be found here.